Jump to content

Search the Community

Showing results for tags 'Malware'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. Researchers have discovered click fraud malware designed to “hide in plain sight” and evade traditional security tools by embedding data into an image file. Lurk is a downloader which uses digital steganography – the art of hiding information in images, audio or video files, according to a Dell SecureWorks Counter Threat Unit (CTU) Threat Intelligence paper by Brett Stone-Gross. “Lurk specifically uses an algorithm that can embed encrypted URLs into an image file by inconspicuously manipulating individual pixels. The resulting image contains additional data that is virtually invisible to an observer,” he wrote. “It is unlikely that existing IPS/IDS devices could detect data that is concealed with digital steganography. As a result, Lurk may be able to evade network defenses and hide in plain sight.” Lurk is comprised of two parts – a dropper DLL and a payload DLL, with the former’s main job being to extract and load the latter, he added. Once the main payload DLL executes, it checks the victim computer for 52 different security products and apparently won’t install if it discovers one of 21 specific products. “Steganography can make it exceedingly difficult to detect the presence of hidden information such as a configuration file, binary update, or bot command, especially in digital files,” concluded Stone-Gross. “As a result, the use of steganography in malware may become more prevalent in the future.” Source
  2. A new remote administration Trojan (RAT) receives command and control instructions through Yahoo Mail, and could be easily modified to communicate with its authors through Gmail or other popular webmail providers. This new RAT’s significance stems primarily from its ability to elude the notice of intrusion detection systems by operating over seemingly benign domains. According to an analysis written Paul Rascagnères of the German security firm G-Data and published by Virus Bulletin, RATs generally transmit the information they steal from victimized machines over a specified port, or by regularly connecting to remote server. Each of these behaviors are well-known flags that are likely to trigger detection on corporate networks. This RAT, known as IcoScript, has gone largely undetected since 2012. Part of the reason, Rascagnères explains, is because access to webmail services is rarely blocked or blacklisted in corporate environments and such traffic is very unlikely to be considered suspicious. IcoScript makes use of Component Object Model technology in Microsoft Windows, making HTTP requests for remote services through Internet Explorer. Another of its novelties is that it appears to use its uniquely tailored scripting language to perform various tasks. In the sample analyzed by G-Data, IcoScript connected to a Yahoo Mail account controlled by its authors. The authors manipulate the malware by sending specially crafted emails containing coded instructions. “Moreover,” Rascagnères writes, “the modular nature of the malware makes it very easy for the attackers to switch to another webmail service, such as Gmail, or even to use services like Facebook or LinkedIn to control the malware while running a low risk of the communication being blocked.” Incident response teams generally contain malware like this, Rascagnères claims, by blocking the URL on the proxy. However, in the case of IcoScript, these URLs are not easily blocked, because they originate from the servers of a trusted service. The efficacy of IcoScript is likely to increase if the attackers diversify the sources of their command can control, configuring samples of the malware to use any number of legitimate webmail providers, social networking sites, and cloud storage services. “The containment must be performed on the network flow in real time,” Rascagnères concludes. “This approach is harder to realize and to maintain. It demonstrates both that attackers know how incident response teams work, and that they can adapt their communication to make detection and containment both complicated and expensive.” Source
  3. A new form of persistent malware has been discovered, one which does not create any file on the disk and stores all activities in the registry. In a blog posted at the end of July, security researcher Paul Rascagneres of GData details the particularities of the new type of malware, dubbed Poweliks, whose methods he labels as “rather rare and new,” since everything is performed in the memory of the computer system and there are several layers of code to get through in order to avoid analysis. The attack vector is an email with a malcrafted Microsoft Word document attached. The vulnerability leveraged by the attackers is CVE-2012-0158, which affects Office and several other Microsoft products. It is not new, but many users are still using old versions of the software that could be compromised. Once the file is launched, the cybercriminals turn on the persistency feature of the malware by creating an encoded autostart key in the registry. It seems that the encoding technique used by the malware was originally created by Microsoft to safeguard their source code from being altered. In order to avoid detection by system tools, the registry key is hidden by providing a name in non-ASCII characters, which makes it unavailable to the Registry Editor (regedit.exe) in Windows. By creating the auto-start key, the attackers make sure that a reboot of the system does not remove it from the computer. By decoding the key, Rascagneres observed two sets of code: one that verified if the affected machine had Windows PowerShell installed, and another one, a Base64-encoded PowerShell script, for calling and executing the shellcode. According to the researcher, the shellcode executes the payload, which attempts to connect to a remote command and control (C&C) server for receiving instructions. There are multiple IP addresses for C&C servers, all hard-coded. The peculiarity of this malware is that it does not create any file on the disk, making it more difficult to be detected through classic protection mechanisms. “To prevent attacks like this, AV solutions have to either catch the file (the initial Word document) before it is executed (if there is one), preferably before it reached the customer’s email inbox. Or, as a next line of defense, they need to detect the software exploit after the file’s execution, or, as a last step, in-registry surveillance has to detect unusual behavior, block the corresponding processes and alert the user,” writes Rascagneres. This type of malicious behavior is not new though, as a sample was also analyzed on KernelMode.info in mid-July, this year. In that case, the same vulnerability was exploited through a malicious RTF attached to an email claiming to be from Canada Post and/or USPS mail service. Source: http://news.softpedia.com/news/Registry-Residing-Malware-Creates-No-File-for-Antivirus-To-Scan-453374.shtml#
  4. Cybercriminals always look for the weakest link they can leverage to make as many victims as possible, and it looks like web browsers with out-of-date plugins are the norm in Europe. Browser plugin update situation in Europe According to the latest statistics from the Germany-based Cyscon GmbH, a company specializing in detecting an mitigating cyber threats, the users of most countries in Europe rely on poorly updated web browsers to explore the online world, which translates into plenty of possible victims for the crooks. The company makes available an interactive map that shows, in percentage, the proportion of a country’s users that do not rely on a browser that integrate plugin components updated with the latest patches available. According to Cyscon’s statistics at the time of the writing, the European country whose users are more aware of the security risks posed by out of date web browsing software, is Netherlands, where 51% of the computer users have at least one plugin component in the browser that needs to be updated. Although this is an alarming value, the country whose users would be more prone to falling victim to a cybercriminal, is Croatia, where it appears that 97% of the users contributing to Cyscon’s statistics do not have installed all the updates for said components. It is followed by Republic of Moldova, with 94%, Serbia with 86% and Germany with 80%. As shown by these statistics, there is no country with users sufficiently aware of risk posed by an old component with security glitches, to report outdate information lower than 50%. Source
  5. Cyber security sleuths have alerted Indian Internet users against hacking attempts of a clandestine multi-identity virus - Bladabindi - which steals sensitive personal information of a user for nefarious purposes. The virus, the Computer Emergency Response Team-India (CERT-In) said, could infect "Microsoft Windows operating system" and it spread through removable USB flash drives, popularly known as pendrive and data cards, including other malwares. CERT-In is the nodal national agency to combat hacking, phishing and to fortify security-related defences of the Indian Internet domain. "It has been reported that variants of malware called Bladabindi are spreading. This malware steals sensitive user information from infected computer system. Bladabindi could also be used as malware downloader to propagate further malware and provide backdoor access to the remote attacker. "Some of the Bladabindi variants could capture keyboard press, control computer camera and later send collected sensitive information to remote attacker. Bladabindi is infecting Microsoft Windows operating system and spreading via infecting removable USB flash drives and via other malwares," the latest advisory by the agency said. The threat potential of the malware or the virus can be gauged from the fact that it can acquire as many as 12 aliases to conceal its real identity and later affect a computer system or personal information of a user. "Bladabindi variants can be created using a publicly available malicious hacker tool. Attacker can create a malicious file using any choice of icon to mislead or entice naive user into running the malicious file," the advisory said. The virus possesses a unique ability to acquire a safe network domain id in order to falsely add itself to the firewall exclusion list and bypass a user's firewall mechanism. A typical 'Bladabindi' variant propagates by way of copying themselves into the root folder of a removable drive and create a shortcut file with the name and folder icon of the drive. When the user clicks on the shortcut, the malware gets executed and Windows Explorer is opened and it makes it seem as if nothing malicious happened. A potential attack by the virus could result into the loss of important proprietary data of a user like "computer name, country and serial number, Windows user name, computer's operating system version, Chrome stored passwords, Firefox stored passwords, the agency said in the advisory. "The malware can also use infected computer's camera to record and steal personal information. It checks for camera drivers and installs a DLL plugin so it can record and upload the video to a remote attacker. The malware can also log or capture keystrokes to steal credentials like user names and passwords," the CERT-In cautioned users. The agency has also suggested some countermeasures against "Bladabindi'. "Scan computer system with the free removal tools, disable the autorun functionality in Windows, use USB clean or vaccination software, keep up-to-date patches and fixes on the operating system and application software, deploy up-to-date anti-virus and anti-spyware signatures at desktop and gateway level," the agency suggested. It also recommended users should not follow unsolicited web links or attachments in email messages, do not visit un-trusted websites, use strong passwords and also enable password policies, enable firewall at desktop and gateway level, guard against social engineering attacks and limit user privileges. Source: http://www.financialexpress.com/news/hacking-virus-bladabindi-prowling-in-india-targets-microsoft-windows-os/1273299/0
  6. GridinSoft Trojan Killer GridinSoft Trojan Killer - advanced program to clean your computer of all malicious threats! If you - a permanent internet user, you should take steps to protect your personal information against cyber-criminals. Trojan Killer can help you in this matter! The program quickly identify (recognize) and immediately remove dangerous malicious Trojans - spyware and adware, malware blocking and restricting the activities of tools, keyloggers, etc. before irreversible painful events will come in the form of stolen accounts, passwords, credit card numbers, personal, corporate and other information. Trojan Killer is designed specifically to disable / remove Malware without the user having to manually edit system files or reestr.Programma also removes the additional system modifications that are ignored by some standard antivirus scanners. Trojan Killer scans ALL the files loaded at boot time, Adware, Spyware, Remote Access Trojans, Internet Worms and other malware. Trojan Killer works in a security system for providing security in computer systems. The program will help you get rid of annoying adware, malware and other rough tools. It is very important to restore control over your computer, and do not let anyone use your data. Additional tools:Reset Home Internet Explorer / Start / Search Page Settings Some Malware programs make changes to the main page of Internet Explorer, Start and Search Page settings, in order to redirect the web browser to different websites. This utility will reset the Home / Start / Search pages to standard Defaults. You can then manually reset your Home Page to your website of choice (or leave it "blank", the default). Restore the HOSTS fileWindows HOSTS file is a text file which stores website addresses. The file can be used to speed up access to websites you visit often - by equating the website name to its address DNS, web browser can find the website more quickly as it does not have to query a DNS-name Server. Some Malware programs add entries to this file, to either deny access to websites (usually security-related Web sites or antivirus company), or re-direct access to websites of their choosing. Reset Windows Update, politicianSome Malware programs attempt to prevent Windows Update, from running, and inhibit access to resetting Windows Update, by blanking out the Windows Update options on the Configure Update. Website: http://www.gridinsoft.com OS: Windows XP / Vista / 7 / 8 Language: Ml Medicine: Patch / Keymaker Size: 46,00 Mb.
  7. ViRobot APT Shield 2.0 is the best PC security program to block attacks of vulnerabilities(include Zero-Day vulnerabilities and Drive-by download vulnerabilities) in applications and Windows OS(include Windows XP) in advance, and it is compatible with anti-malware programs.Especially, ViRobot APT Shield 2.0 will be the best choice for PCs which can not be upgraded Windows XP to higher version of Windows. Features 1. Response to variety attacks of application vulnerabilities. It blocks attacks that use vulnerabilities in advance for applications such as document programs(MS Office, Adobe Reader, ...), Web brewers(IE, Firefox, Chrome, ...), Media players, Messengers, Compression software, and etc. 2. Blocking vulnerabilities due to the end of Windows XP support. It prevents attacks that use vulnerabilities in advance for Windows which cannot be applied security patches. 3. Complementing in accordance with the limits of Signature-based anti-virus. By behavior-based technology, it blocks creation and execution of malicious code that exploits vulnerabilities, and it also doesn't need pattern update. 4. Blocking the acceleration of document leak for many unspecified targets. Recently, malicious code is using social engineering to exfiltrate important document from companies, but this product blocks it completely. 5. Handling systems which are difficult to update Windows security patches. It's a very light product, because it requires only minimal resources of Hardware. It's suitable for various environments which are difficult to update Windows security patches in enterprise. Functions 1. Enhanced detection for malicious code It can block Zero-Day attacks in advance.It's not necessary to concern about False/Positive, because it detects abnormal behaviors of applications.It's possible to detect malicious code in real time.2. Flexible scalability and low costs It's compatible with anti-malware products all around the world, it ensures flexible scalability.It can save cost compared to network-based detection solutions. (No extra charge excepted license fee)3. Management efficiency It's possible to control security systems by connection with integrated log equipment(e.g. ESM).Monitoring service is provided through installation of Web log server.4. Usability Pattern update is not required.It's simple to install(The installation takes less than 10 seconds.)The portion of end users' direct control is minimized.It uses minimum resource. (e.g. Memory usage : less than 10MB)Screenshots Blocking malicious code that exploits vulnerabilities in applications. Document program -MS office, Adobe reader, Ichitaro, etc. Web browser - IE, Firefox, Chrome, Safari, Opera, Java, Flash, ActiveX, etc. Media player - Real player, QuickTime player, Winamp, etc. Messenger - Skype, Yahoo, Google, . etc. Compression software -WinZip, WinRAR, 7-Zip, etc. Homepage: http://www.aptshield.net/ Download link: http://www.aptshield.net/apt_individual_download.html Requirements: CPU:Intel Pentium III 500MHz or Above RAM:512 MB or Above HDD:Free space more than 500 MB OS: Windows XP / Windows Vista / Windows 7 / Windows 8/Windows Server 2003 / Windows Server 2008 / Windows Server 2012 -x86 and x64.
  8. Like most profitable criminal enterprises, the Shylock banking malware thrived because it was supported by a nimble infrastructure that allowed it to stay one step ahead of network and security monitoring capabilities, and the authorities. That race ended this week. Europol announced today that it, along with numerous law enforcement and industry partners had carried out a successful takedown of the Shylock infrastructure. The two-day culmination of the operation took place on Tuesday and Wednesday and was coordinated by the U.K.’s National Crime Agency and supported by Europol, the FBI, GCHQ in the U.K., and industry companies including Kaspersky Lab, BAE Systems Applied Intelligence and Dell SecureWorks. “Law enforcement agencies took action to disrupt the system which Shylock depends on to operate effectively,” Europol said in a statement. “This comprised the seizure of servers which form the command and control system for the Trojan, as well as taking control of the domains Shylock uses for communication between infected computers.” Few details were provided on the location of the command and control infrastructure, but Europol said it coordinated investigative actions with cooperation from authorities in Italy, the Netherlands, Turkey, Germany, France and Poland. CERT-EU, Europol said, was also instrumental in providing data on the malicious domains used by Shylock. No arrests were announced, though Europol said that previously unknown parts of the Shylock infrastructure were uncovered and additional law enforcement action may be upcoming. “It has been a pleasure for me to see the international cooperation between police officers and prosecutors from many countries, and we have again tested our improved ability to rapidly react to cyber threats in or outside the EU,” Troels Oerting, head of the European Cybercrime Center at Europol. “It’s another step in the right direction for law enforcement and prosecutors in the EU and I thank all involved for their huge commitment and dedication.” Major takedowns of botnets and other cybercrime operations are quickly becoming commonplace. Though usually not a permanent solution, takedowns such as this one and the recentGameover Zeus takedown, which also impacted the Cryptolocker infrastructure, indicate improving cooperation between international law enforcement. “The NCA is coordinating an international response to a cybercrime threat to businesses and individuals around the world,” said Andy Archibald, Deputy Director of the NCA’s National Cyber Crime Unit in the U.K. “This phase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime.” Shylock, like Zeus, targeted banking credentials. Victims were usually tricked or lured into clicking on a malicious link that infected computers with the Trojan. Shylock surfaced in 2011 and at first was limited to the U.K., but quickly expanded into a global operations concentrating on victims in Europe and the United States. Online banking customers were victimized by Shylock’s man-in-the-browser style attacks against apredetermined list of as many as 60 banks. The Trojan would sniff out banking credentials and loot accounts. “Banking fraud campaigns are no longer one-off cases. We’ve seen a significant rise in these kinds of malicious operations,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab. “To fight cybercrime, we provide threat intelligence to law enforcement agencies all over the world and cooperate with international organizations such as Europol. Global action brings positive results – an example being the operation targeting Shylock malware.” Golovanov said in 2013 the number of cyberattacks involving malware designed to steal financial data increased by 27.6 percent to reach 28.4 million. The attackers behind Shylock were also careful to hide its tracks. Like other similar malware, such as versions of PushDo, Zeus and TDL/TDSS, Shylock made good use of a domain generation algorithm to send stolen data back to the attackers. The DGA feature sidestepped detection and research efforts effectively, experts said. One version of Shylock that surfaced in January 2013 was capable of spreading through Skype, in addition to network shares and even removable USB drives. Ultimately, Shylock could also steal browser cookies, use web injects on infected browsers and download and execute files on compromised machines. This article was updated at 12:15 p.m. ET with comments from Kaspersky Lab. Source
  9. More and more pieces of malware have become capable of targeting users running 64-bit versions of operating systems. One of them is KIVARS, a piece of malware whose 64-bit version was recently analyzed by researchers from Trend Micro. According to the security firm, the Trojan is distributed with the aid of TROJ_FAKEWORD.A, a dropper that's designed to drop two executable files and a Microsoft Word document on infected systems. In the 32-bit version, the executable files are copied into the "windows system" folder with the names iprips.dll, which is detected by Trend Micro as TROJ_KIVARSLDR, and winbs2.dll, detected as BKDR_KIVARS. The latest versions of KIVARS, which can target both 32-bit and 64-bit systems, drop these components in the same folder, but under a random name, with the backdoor file having either a .tib or a .dat extension. The dropper uses the right-to-left override (RLO) technique and a genuine Microsoft Word icon to make it look like the document file, which is password protected and acts as a decoy, is genuine, Trend said. These techniques have also been used in a campaign targeted at government agencies in Taiwan, which Trend Micro recently analyzed. Once executed, TROJ_KIVARSLDR, the loader installed as a service named iprip, loads and runs the backdoor payload BKDR_KIVARS in memory, Trend explained. The backdoor is capable of carrying out various tasks, including downloading, uploading and manipulating files, uninstalling malware services, taking screenshots, activating a keylogger, manipulating active windows, and executing mouse and keyboard actions. In the versions that support 64-bit operating systems, the loader is installed as services named Iprip, Irmon and ias. Additionally, the backdoor uses a slightly modified version of the RC4 encryption algorithm to encrypt its configuration information. RC4 is also used to encrypt the first packets sent by the malware back to the command and control (C&C) server. These initial packets contain information such as the victim’s IP, OS version, username, hostname, the version of KIVARS, and the layout of the keyboard attached to the infected device. In the latest versions of KIVARS, a randomly-generated packet is sent first to the C&C, based on which a key is generated to help the malware verify the reply from the server. Only then the system information is encrypted with RC4 and sent to the C&C. "The earlier versions of this BKDR_KIVARS only encrypts the 'MZ' magic byte for the backdoor payload. As for the newer versions, the backdoor payload is now encrypted using the modified RC4," Trend Micro Threat Analyst Kervin Alintanahin explained in a blog post. The threat group behind this campaign also uses the POISON remote access Trojan (RAT) for its malicious activities, Trend Micro said. Source
  10. Hackers are targeting Brazil’s Boleto payment system, the second most popular payment method in the country, and have conducted hundreds of thousands of fraudulent transactions valued at close to $4 billion. Formally known as Boleto Bancario, Boletos are financial documents issued by banks that can be used by consumers to make payments to utilities and other outlets. Boletos are either printed and mailed to customers, or are generated and sent via electronic transfers. Common to all are a bar code, identification field or numerical representation of the bar code, and an identification number. Researchers at RSA Security yesterday reported the discovery of an extensive and effective malware campaign that’s been operating for two years and has ratcheted up the sophistication of Boleto fraud, which used to be confined to offline forgery of the payment documents. The Boleto malware attacks leverage man-in-the-browser infections to attack vulnerabilities in Chrome, Firefox and Internet Explorer running on Windows PCs and redirects Boleto payments to the attacker’s money mule account. “Since the malware is MITB, all malware activities are invisible to both the victim and the web application,” RSA said in its report, adding that there are up to 19 variants of the malware. RSA said it has detected 495,753 fraudulent Boleto transactions since 2012, valued at $3.75 billion USD. “Boleto malware is a major fraud operation and a serious cybercrime threat to banks, merchants and banking customers in Brazil,” RSA said. “While the Bolware fraud ring may not be as far-reaching as some larger international cybercrime operations, it does appear to be an extremely lucrative venture for its masterminds.” In a legitimate online Boleto transaction, an online store, for example, will generate and send the Boleto to a customer. The customer can then choose where to use it once it’s displayed in the browser. Once an infected PC is used, the Boleto data is stolen along with all browser data and sent to the attacker’s server. The attacker then modifies the Boleto data to send payments to the hacker’s mule account rather to the bank. RSA said it has detected 192,227 bots, or unique IPs, that have been infected. More than 30 bank brands have been affected in this campaign, which has also scooped up more than 83,000 email credentials and other data stolen by the malware. RSA said this type of fraud is difficult for the customer to detect because the ID number fields aren’t tied to a payee and customers don’t generally validate that type of information. Banks, RSA said, don’t detect the fraud immediately because transactions are coming from customer computers and customers make frequent Boleto payments. Fraudulent Boleto ID numbers and attack characteristics have been turned over to the FBI and Brazil’s federal police, RSA said. “While the Boleto malware and the manner in which it modifies Boleto transactions is difficult to detect, it appears to affect only Boletos that are generated or paid online via infected Windows-based PCs using three popular web browsers,” RSA said. “RSA Research has not seen evidence of compromise with transactions via Boleto mobile applications or DDA (authorized direct debit) digital wallets.” Source
  11. Security researchers have uncovered a new Stuxnet like malware, named as “Havex”, which was used in a number of previous cyber attacks against organizations in the energy sector. Just like Famous Stuxnet Worm, which was specially designed to sabotage the Iranian nuclear project, the new trojan Havex is also programmed to infect industrial control system softwares of SCADA and ICS systems, with the capability to possibly disable hydroelectric dams, overload nuclear power plants, and even can shut down a country’s power grid with a single keystroke. According to security firm F-Secure who first discovered it as Backdoor:W32/Havex.A., it is a generic remote access Trojan (RAT) and has recently been used to carry out industrial espionage against a number of companies in Europe that use or develop industrial applications and machines. SMARTY PANTS, TROJANIZED INSTALLERS To accomplish this, besides traditional infection methods such as exploit kits and spam emails, cybercriminals also used an another effective method to spread Havex RAT, i.e. hacking the websites of software companies and waiting for the targets to install trojanized versions of legitimate apps. During installation, the trojanized software setup drops a file called "mbcheck.dll", which is actually Havex malware, that attackers are using as a backdoor. “The C&C server will [then] instruct infected computers to download and execute further components,” “We gathered and analyzed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of 146 command and control (C&C) servers contacted by the variants, which in turn involved tracing around 1500 IP addresses in an attempt to identify victims.” F-Secure said. F-secure didn't mention the names of the affected vendors, but an industrial machine producer and two educational organizations in France, with companies in Germany were targeted. INFORMATION GATHERING Havex RAT is equipped with a new component, whose purpose is to gather network and connected devices information by leveraging the OPC (Open Platform Communications) standard. OPC is a communications standard that allows interaction between Windows-based SCADA applications and process control hardware. The malware scans the local network for the devices that respond to OPC requests to gather information about industrial control devices and then sends that information back to its command-and-control (C&C) server. Other than this, it also include information-harvesting tools that gather data from the infected systems, such as: Operating system related informationA Credential-harvesting tool that stole passwords stored on open web browsersA component that communicates to different Command-&-Control servers using custom protocols and execute tertiary payloads in memory.“So far, we have not seen any payloads that attempt to control the connected hardware.” F-secure confirmed. MOTIVATION? While their motivation is unclear at this point, “We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations.” F-Secure noticed. HAVEX TROJAN FROM RUSSIANS ? In January this year, Cybersecurity firm CrowdStrike revealed about a cyber espionage campaign, dubbed "Energetic Bear," where hackers possibly tied to Russian Federation penetrating the computer networks of energy companies in Europe, the United States and Asia. According to CrowdStrike, the Malwares used in those cyber attacks were HAVEX RAT and SYSMain RAT, and possibly HAVEX RAT is itself a newer version of the SYSMain RAT, and both tools have been operated by the attackers since at least 2011. That means, It is possible that Havex RAT could be somehow linked to Russian hackers or state-sponsored by Russian Government. Source
  12. IObit Malware Fighter Pro IObit Malware Fighter is an advanced malware & spyware removal utility that detects, removes the deepest infections, and protects your PC from various of potential spyware, adware, trojans, keyloggers, bots, worms, and hijackers. With the improved, unique "Dual-Core" engine and the heuristic malware detection, IObit Malware Fighter detects the most complex and deepest spyware and malware in a very fast and efficient way. Here are some key features of "IObit Malware Fighter": One-click Solution and Very Easy to Use: Traditional advantages of IObit products. We love simple and automatic styles.Complete PC Security Care: Anti-malware, anti-spyware, anti-adware, anti-trojan, anti-bots, and more. IObit Malware Fighter can assist your antivirus to defend any tricky and complex threats.Finds the Deepest Infections: Using DOG (Digital Original Gene), a novel heuristic malware detection method, while IObit Malware Fighter can find the most complex threats.Very Fast and Light Thanks to the improved, unique "Dual-Core" anti-malware engine, complicated analysis can be made faster now.Work with All Antivirus Products Everyone needs a qualified antivirus software, and IObit Malware Fighter will surely be the best mate for your current antivirus.Automated Working in the Background Just install it and forget it. This powerful utility works continuously, automatically and quietly in the background on your PC. You can set it as your schedule or just let it work automatically when your PC is idle.Automatic and Frequent Updates By the new-generation malware analysis system and our professional database team, IObit Malware Fighter catches the emerging dangerous malware in the Internet.Website: http://www.iobit.com OS: Windows XP / Vista / 7 / 8 / 8.1 Language: ML Medicine: Key / Keygen Size: 25,84 Mb.
  13. Cybercriminals and advanced attackers are freely borrowing from one another’s repertoires to great success. The latest example involves spammers firing off up to a half-million email messages during limited campaign segments without triggering any detection alarms. Security company FireEye said the attackers have found a winning formula to evade detection in one used by a number of APT campaigns in which attack attributes are changed at a higher rate than IDS and other defenses can keep up. The campaigns, carried out by the Asprox botnet, were first spotted late last year and by the end of May were spiking noticeably. “Since then, the threat actors have continuously tweaked the malware by changing its hardcoded strings, remote access commands, and encryption keys,” FireEye said in a report. In the past, APT campaigns carried out by nation states for the purposes of economic espionage or intelligence gathering, have begun to rely on tactics used in commercial malware campaigns. In May 2013, advanced attacks against NGOs, technologies companies, government agencies were spotted, and hints were found that the organizers had either borrowed or purchased commercial malware and propagation tools from the criminal underground. The Asprox campaigns have a much wider reach, infecting victims in countries worldwide in varied industries. The most recent iteration spotted by FireEye had also moved from including links to malicious sites and malware downloads, to embedding malicious code in attachments pretending to be a Microsoft Office document in a .zip file. Once the victim falls for the phishing or spam email and opens the infected attachment, the malware is injected into a process created by the attacker. Soon backdoor channels are opened to command and control servers and data is moved off machines in an encrypted format to the attackers. Formerly, Asprox campaigns used themes that ranged from airline tickets to United States Postal Service spam. The attackers have moved off those themes to court-related emails. Victims are seeing phony notices for court appearances, warrants, hearing dates and pre-trial notices.And it seems to be working. “We saw about 6400 unique MD5s sent out on May 29th. That is a 16,000 percent increase in unique MD5s over the usual malicious email campaign we’d observed,” FireEye said. “Compared to other recent email campaigns, Asprox uses a volume of unique samples for its campaign.” FireEye also said that campaigns that kicked off in May and lasted into June also were relying on a host of new command and control IP addresses. The malware includes commands to download additional code from a third-party site, code updates, registry modifications and even a command to remove itself, among others. “The data reveals that each of the Asprox botnet’s malicious email campaigns changes its method of luring victims and C2 domains, as well as the technical details on monthly intervals,” FireEye said. “And, with each new improvement, it becomes more difficult for traditional security methods to detect certain types of malware.” Source
  14. A new and relatively rare Zeus Trojan program has been found which is totally different from other banking Trojans and has capability to secretly steal data from forms, login credentials and files from the victim as well as can create fake web pages and take screenshots of victim's computer. Researchers at RSA Security’s FraudAction team have discovered this new and critical threat, dubbed as ‘Pandemiya’, which is being offered to the cyber criminals in underground forums as an alternative to the infamous Zeus Trojan and its many variants, that is widely used by most of the cyber-criminals for years to steal banking information from consumers and companies. The source code of the Zeus banking Trojan is available on the underground forums from past few years, which lead malware developers to design more sophisticated variants of Zeus Trojan such as Citadel, Ice IX and Gameover Zeus. But, Pandemiya is something by far the most isolated and dangerous piece of malware as the author spent a year in writing the code for Pandemiya, which includes 25,000 lines of original code written in C. Like other commercial Trojan, Pandemiya infect the machines through exploit kits and via drive-by download attacks to boost infection rate that exploit flaws in the vulnerable software such as Java, Silverlight and Flash within few seconds victim lands on the web page. “Pandemiya’s coding quality is quite interesting, and contrary to recent trends in malware development, it is not based on Zeus source code at all, unlike Citadel/Ice IX, etc.,” researchers from RSA, the security division of EMC, said Tuesday in a blog post. “Through our research, we found out that the author of Pandemiya spent close to a year of coding the application, and that it consists of more than 25,000 lines of original code in C.” Pandemiya Trojan using Windows CreateProcess API to inject itself into every new process that is initiated, including Explorer.exe and re-injects itself when needed. Pandemiya is being sold for as much as$2,000 USD and provides all the nasty features including encrypted communication with command and control servers in an effort to evade detection. The Trojan has been designed with modular architecture to load more external plug-ins, which allows hackers to add extra features simply by writing new DLL (dynamic link library). The extra plug-ins easily add capabilities to the Trojan’s core functionality, that’s why the developer charge an extra of $500 USDto get the core application as well as its plugins, which allows cybercriminals to open reverse proxies on infected computers, to steal FTP credentials and to infect executable files in order to inject the malware at start up. "The advent of a freshly coded new trojan malware application is not too common in the underground," Marcus writes, adding that the modular approach in Pandemiya could make it “more pervasive in the near future." The malware developers are also working on other new features to add reverse Remote Desktop Protocol connections and a Facebook attack module in order to spread the Trojan through hijacked Facebook accounts. HOW TO REMOVE PANDEMIYA TROJAN The Trojan can be easily removed with a little modification in the registry and command line action, as explained below: Locate the registry key HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run and identify the *.EXE filename in your user’s ‘Application Data’ folder. Note the name, and delete the registry value. Locate the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls. Find the value with the same name as the *.EXE file in the previous step. Note the file name, and remove the value from the registry. Reboot the system. At this stage Pandemiya is installed but no longer running. Delete both files noted earlier. This will remove the last traces of the Trojan. Your system is now clean.Stay Safe! Source
  15. A new spam campaign has emerged in support of the Asprox botnet. The scheme involves shipping receipt emails that contain malicious links and purport to come from the United States Postal Service (USPS). Anyone who receives one of these emails and clicks on the link therein will have a zip file downloaded onto their machine, according to a Zscaler report. After a user downloads the zip file, it shows up as a seemingly legitimate looking Word document on the Windows desktop. That file is in actuality an executable which must be opened before the user becomes infected with the malware. Researchers from the security firmStopMalvertising analyzed Asprox – also known as Kulouz – in November. They found that the strain of malware began as a password-stealing botnet, but has since evolved to where it’s primary purpose is to launch automated SQL injection attacks. Asprox, they say, is notorious for spoofing shipping companies like the United Parcel Service and FedEx. Asprox is not new, with references to it on Threatpost dating back as far as 2009. As of Zscaler’s publication, the threat was scoring a fairly dangerous 4/52 on VirusTotal. At the time of our publication, the detection engines appear to have taken notice, and the threat is now scoring a less potent 27/52. According to the report, the malware copies itself into an infected user’s Local Application Data before creating an autostarter to ensure that the infection stays around even after restart. “The common factor across all of these dropped files is that they all POST bzip2 compressed data which is then encrypted with a 16-byte random RC4 key via HTTP as reported by StopMalvertising,” wrote Chris Mannon in the Zscaler analasys. “We’re seeing a growing number of attacks which utilize this method of phone home activity. The case of this Asprox threat phones home over ports 443 and 8080.” Source
  16. IObit Malware Fighter Pro + Portable IObit Malware Fighter is an advanced malware & spyware removal utility that detects, removes the deepest infections, and protects your PC from various of potential spyware, adware, trojans, keyloggers, bots, worms, and hijackers. With the improved, unique "Dual-Core" engine and the heuristic malware detection, IObit Malware Fighter detects the most complex and deepest spyware and malware in a very fast and efficient way. Here are some key features of "IObit Malware Fighter": One-click Solution and Very Easy to Use: Traditional advantages of IObit products. We love simple and automatic styles.Complete PC Security Care: Anti-malware, anti-spyware, anti-adware, anti-trojan, anti-bots, and more. IObit Malware Fighter can assist your antivirus to defend any tricky and complex threats.Finds the Deepest Infections: Using DOG (Digital Original Gene), a novel heuristic malware detection method, while IObit Malware Fighter can find the most complex threats.Very Fast and Light Thanks to the improved, unique "Dual-Core" anti-malware engine, complicated analysis can be made faster now.Work with All Antivirus Products Everyone needs a qualified antivirus software, and IObit Malware Fighter will surely be the best mate for your current antivirus.Automated Working in the Background Just install it and forget it. This powerful utility works continuously, automatically and quietly in the background on your PC. You can set it as your schedule or just let it work automatically when your PC is idle.Automatic and Frequent Updates By the new-generation malware analysis system and our professional database team, IObit Malware Fighter catches the emerging dangerous malware in the Internet.Website: http://www.iobit.com OS: Windows XP / Vista / 7 / 8 / 8.1 Language: ML Medicine: Key / Keygen Size: 25,92 / 29,28 Mb.
  17. IObit Malware Fighter Pro IObit Malware Fighter is an advanced malware & spyware removal utility that detects, removes the deepest infections, and protects your PC from various of potential spyware, adware, trojans, keyloggers, bots, worms, and hijackers. With the improved, unique "Dual-Core" engine and the heuristic malware detection, IObit Malware Fighter detects the most complex and deepest spyware and malware in a very fast and efficient way. Here are some key features of "IObit Malware Fighter": One-click Solution and Very Easy to Use: Traditional advantages of IObit products. We love simple and automatic styles.Complete PC Security Care: Anti-malware, anti-spyware, anti-adware, anti-trojan, anti-bots, and more. IObit Malware Fighter can assist your antivirus to defend any tricky and complex threats.Finds the Deepest Infections: Using DOG (Digital Original Gene), a novel heuristic malware detection method, while IObit Malware Fighter can find the most complex threats.Very Fast and Light Thanks to the improved, unique "Dual-Core" anti-malware engine, complicated analysis can be made faster now.Work with All Antivirus Products Everyone needs a qualified antivirus software, and IObit Malware Fighter will surely be the best mate for your current antivirus.Automated Working in the Background Just install it and forget it. This powerful utility works continuously, automatically and quietly in the background on your PC. You can set it as your schedule or just let it work automatically when your PC is idle.Automatic and Frequent Updates By the new-generation malware analysis system and our professional database team, IObit Malware Fighter catches the emerging dangerous malware in the Internet.Website: http://www.iobit.com OS: Windows XP / Vista / 7 / 8 / 8.1 Language: ML Medicine: Key / Keygen Size: 26,63 Mb.
  18. Plenty has been written about the Sefnit malware family and its favor with using Tor to mask communication, as well as the money it’s made for criminals via click-fraud schemes. Sefnit, however, has had a pair of accomplices that until recently were regarded as harmless programs by most security companies. The trio, which now includes two malware families Rotbrow and Brantall, are responsible for a startling jump in malware infections detected in the fourth quarter of last year, according to Microsoft. In its latest Security Intelligence Report (SIR), Microsoft puts the blame on Sefnit et al for a 3x increase in worldwide infection rates at the end of last year. The SIR reports on malware and vulnerability trends based on data collected by various Microsoft security products including the Malicious Software Removal Tool (MSRT). Through the first three quarters, infection rates at around six computers cleaned per 1,000 scanned. In Q4, that number jumped 18 per 1,000. Sefnit is the principal antagonist here, and it’s difficult to handle because it’s distributed through a number of non-traditional means, including peer-to-peer file sharing networks, and almost always it’s disguised as legitimate software, or bundled with something else. Enter Rotbrow and Brantall. Both of which have been re-classified as malware by Microsoft, and both present themselves to victims as legitimate software packages. Rotbrow, for example, pretends to be a safeguard against browser add-ons, while Brantall purports to be an installer for legitimate programs, Microsoft said. Microsoft said that both have been seen installing Sefnit. “Microsoft has been aware of this program since 2011, but it had never displayed malicious behavior until its association with Sefnit was discovered in 2013,” the SIR says. “Researchers discovered that some versions of the Browser Protector process, called BitGuard.exe, drop an installer for a harmless program called File Scout, and also secretly install Sefnit at the same time.” “Detections of Rotbrow decreased considerably after December, and the MMPC expects the CCM infection rate to return to more typical levels in subsequent quarters as the MSRT and other security products resolve the remaining backlog of old Rotbrow infections,” the SIR says. Sefnit, meanwhile, remains an evolving threat with a recent campaign shunning Tor as a command and control channel in favor SSH, a more traditional channel. In addition to click fraud, Sefnit is also used for Bitcoin mining and search result hijacking. A new click-fraud component discovered last year, Microsoft said, is used as a proxy service to relay HTTP traffic which is triggered to click on pay-per-click ads. The SIR also covered vulnerability trends, noting that high severity vulnerability disclosures were down almost nine percent, while medium severity were up 19 percent and accounted for 59 percent of disclosures in the second half of the year. Industry wide, vulnerabilities in apps other than browsers and OS apps increased 34 percent. OS vulnerabilities climbed 48 percent, while OS application vulnerabilities dropped 46 percent. Browser vulnerability disclosures were also down 28 percent in the second half of 2013. As for exploits, Microsoft reports that Java-based attacks are still king, followed by HTML/JavaScript attacks, though both dipped a bit in the fourth quarter, Microsoft said. The decline in both attacks could be traced to the disappearance of the Blackhole Exploit Kit upon the October arrest of its alleged author Paunch. Source
  19. New research carried out by analysts from Intelligent Content Protection concludes that 90 percent of the top pirate sites link to malware or other unwanted software. In addition, two-thirds of the websites are said to link to credit card scams. Entertainment industry groups hope the findings will motivate people to choose legal options instead. Most seasoned visitors of torrent sites and streaming portals know that many of the “download” and “play” buttons present are non-functional, at least in the regular sense. In fact, many of these buttons link to advertisements of some sort, ranging from relatively harmless download managers to dubious services that ask for one’s credit card details. A new report backed by the UK entertainment industry has looked into the prevalence of these threats. The study, carried out by the anti-piracy analysts of Intelligent Content Protection (Incopro), found that only 1 of the 30 most-visited pirate sites didn’t link to unwanted software or credit card scams. According to a press release released this morning, the research found that of the 30 top pirate sites, “90% contained malware and other ‘Potentially Unwanted Programmes’ designed to deceive or defraud unwitting viewers.” The “Potentially Unwanted Programmes” category is rather broad, and includes popups and ads that link to download managers. In addition, the report links one-third of the sites to credit card fraud. “The rogue sites are also rife with credit card scams, with over two-thirds (67%) of the 30 sites containing credit card fraud,” the press release states. While it’s true that many pirate sites link to malware and other dubious products, the sites themselves don’t host any of the material. For example, none of the top pirate sites TorrentFreak tested were flagged by Google’s Safebrowsing tool. This nuance is left out of the official announcement, but the executive summary of the report does make this distinction. “We did not encounter the automatic injection of any malicious program on the sites that we scanned. In all instances, the user must be tricked into opening a downloaded executable file or in the case of credit card fraud, the user needs to actively enter credit card details,” Incopro writes. Most of the malware and “potentially” unwanted software ends up on users’ computers after they click on the wrong “download” button and then install the presented software. In many cases these are installers that may contain relatively harmless adware. However, the researchers also found links to rootkits and ransomware. The allegation of “credit card fraud” also requires some clarification. Incopro told TorrentFreak that most of these cases involve links to services where users have to pay for access. “There were 17 separate credit card schemes that were detected through our scanning, with many appearing to be similar or possibly related. Five of the sites had instances of two credit card fraud/scam sites, with the remaining 15 containing one credit card fraud/scam site,” Incopro told us. “An example is someone visits one of the pirate sites and clicks a ‘Download’ or ‘Play now’ button, which is actually an advert appearing on the page, which then asks for payment details to access the content.” This is characterized as “fraud” because these “premium” streaming or download services can result in recurring credit card charges of up to $50 per month, without an option to cancel. The report, which isn’t available to the public, was commissioned by the UK film service FindAnyFilm and backed by several industry groups. Commenting on the findings, FACT’s Kieron Sharp noted that those who fall for these scams are inadvertently funding organized crime. “Not only are you putting your personal security at risk, by using pirate websites you could be helping fund the organised criminal gangs who run these sites as a front for other cyber scams,” Sharp says. It is clear that the research is used for scaremongering. Regular users of these sites know all too well what buttons not to click, so they are not affected by any of the threats. However, there’s no denying that some pirate sites deliberately place these “ads” to confuse novice and unsuspecting visitors. Those visitors may indeed end up with adware, malware or run into scam services. This isn’t in any way a new phenomenon though, it has been going on for more than a decade already. Ironically, the same anti-piracy groups who now warn of these threats are making them worse by cutting pirate sites off from legitimate advertisers. Source: TorrentFreak
  20. A boom in cybercrime levels is forcing security vendors to release defence updates every 40 minutes, according to security firm Symantec. Senior manager for Symantec Security Response Orla Cox reported the development during a briefing attended by V3. "We're seeing more sophisticated attacks than ever before and people want security," she said. "Nowadays we are rolling out virus signature upgrades around every 40-50 minutes. They're rapid response upgrades that go through partial vetting. We then follow them up with three upgrades per day that are fully certified." Cox said Symantec began rolling out the rapid updates to help mitigate the growing number of malware variants and active cyber campaigns targeting its customers. "It's been about shaving off minutes for the last couple of years. If you came to us a few years ago it was one [update] and before that it would have taken hours. The rapid updates are for people that need a rapid response, like those suffering an infection." She said Symantec blocked 568,700 web attacks on its customers and detected a massive 1.6 million malware variants per day in 2013. But despite helping customers, Cox said the company's rapid update cycle has increased the risk of pushing out an update with a false positive signature. "The biggest quality issue we face is the danger of false positive definitions. There's a risk of detecting something clean as malicious, that's the big no no in our industry, so it's as much about building definitions libraries about legit files as malicious," she said. False positives are updates from security providers that list legitimate files as malware and block them from running. In the past the faulty updates have caused damage to many companies. In 2013 Malwarebytes crippled thousands of its customers' machines when it issued a false positive update. Cox said the influx of new threats has also forced Symantec to expand its analysis procedures in recent years. "We've had to evolve how we work, it's not just about providing protection and moving on any more. Threats and the landscape have changed and to address this we've begun doing intelligence work," she said. "We do bespoke research on occasion, with both customers and law enforcement. These situations are ones where we have the skills they don't – that's the benefit of us being here every day, reverse-engineering malware. "Doing this over the years we've had to develop a number of systems and now we're trying to understand the individual attacks in the context of who did them and why." Symantec is one of many technology firms to begin adopting an intelligence-based approach to cyber defence. Facebook unveiled a new automated ThreatData security service designed to detect and catalogue new malware families earlier in March. Source
  21. Hardly two month ago we reported about the first widely spread Android Bootkit malware, dubbed as 'Oldboot.A', which infected more than 500,000 Smartphone users worldwide with Android operating system in last eight months, especially in China. Oldboot is a piece of Android malware that's designed to re-infect Mobile devices even after a thorough cleanup. It resides in the memory of infected devices; It modify the devices’ boot partition and booting script file to launch system service and extract malicious application during the early stage of system’s booting. Yet another alarming report about Oldboot malware has been released by the Chinese Security Researchers from '360 Mobile Security'. They have discovered a new variant of the Oldboot family, dubbed as 'Oldboot.B', designed exactly as Oldboot.A, but new variant has advance stealth techniques. Especially, the defense against with antivirus software, malware analyzer, and automatic analysis tools. "The Oldboot Trojan family is the most significant demonstration of this trend." researchers said. Oldboot.B, Android Bootkit malware has following abilities: It can install malicious apps silently in the background. It can inject malicious modules into system process. Prevent malware apps from uninstalling. Oldboot.B can modify the browser's homepage. It has ability to uninstall or disable installed Mobile Antivirus softwares. INFECTION & INSTALLING MORE MALWARE APPS Once an Android device is infected by Oldboot.B trojan, it will listen to the socket continuously and receive and execute commands received from the attacker's command-and-control server. Malware has some hidden ELF binaries, that includes steganographically encrypted strings, executable codes and configuration file downloaded from C&C server, located at az.o65.org (IP is After installation, Oldboot Trojan install lots of other malicious android applications or games in the infected device, which are not manually installed by the user. MALWARE ARCHITECTURE Oldboot.B architecture includes four major Components, those automatically executes during the system startup by registering itself as a service in the init.rc script: 1) boot_tst - uses remote injection technique to inject an SO file and a JAR file to the 'system_server' process of the Android system, continuously listen to the socket, and execute commands sent. 2) adb_server - replaces pm script of Android system with itself and used for anti-uninstallation functionality. 3) meta_chk - update the configuration file, download and install Android Apps promoted in the background. The Configuration file is encrypted, that greatly increases the time required to analyze. To evade detection, meta_chk destroys itself from the file system, and left with only the injected process. Android Antivirus software does not support the process memory scan in the Android platform, so they cannot detect or delete the Oldboot Trojan which resides in the memory. 4) agentsysline - module written in C++ programming language, run as a daemon in the background to receive commands from command-and-control server. This component can uninstall anti-virus software, delete the specific files and enable or disable network connection etc. PROBLEMS FOR SECURITY RESEARCHERS To increase the problem of malware analyzers: It add some meaningless code and trigger some behavior randomly. Check for SIM card availability in the device, and it will not perform certain behavior if there is no SIM card to fool sandbox or emulators. Check for the existence of antivirus software, and may uninstall the anti-virus software before doing anything malicious. Malware uses the steganography techniques to hide its configuration file into images: "But after some analysis, we found that the configuration of meta_chk is hidden in this picture, which contains the command will be executed by meta_chk and other information." researchers said. The size of this configuration file is 12,508 bytes. "Depending on the commands sent from the C&C server, it can do many different things, such as sending fake SMS messages or phishing attacks, and so on. Driven by profit, the Oldboot Trojan family changes very fast to react to any situation." Oldboot.B is one of the most advanced Android malware that is very difficult to remove, but antivirus firm 360 Mobile Security also released Oldboot detection and removing tool for free, you can download it from their website. To avoid infection, Smartphones users should only install apps from trusted stores; make sure the Android system setting 'Unknown sources' is unchecked to prevent dropped or drive-by-download app installs; don't use custom ROMs and install a mobile security app. Source
  22. A year back, Security Researchers from the Antivirus firm Kaspersky found a sophisticated piece of malware which they dubbed as ‘MiniDuke’, designed specifically to collect and steal strategic insights and highly protected political information, which is a subject to states’ security. Now, once again the MiniDuke virus is spreading in wild via an innocent looking but fake PDF documents related to Ukraine, while the researcher at F-Secure were browsing the set of extracted decoy documents from a large batch of potential MiniDuke Samples. "This is interesting considering the current crisis in the area," Mikko Hypponen, the CTO of security research firm F-Secure, wrote on Tuesday. The Hacker News reported a year ago about the malicious malware that uses an exploit (CVE-2013-0640) of the famous and actively used Adobe Reader. MiniDuke malware written in assembly language with its tiny file size (20KB), and uses hijacked Twitter accounts for Command & Control and incase twitter accounts are not active, the malware located backup control channels via Google searches. The malware consists of three components: PDF file, MiniDuke Main and Payload. Payload is dropped after the Adobe process gets exploited by opening the malicious PDF file, which refers to the topics including human rights, Ukraine's foreign policy, and NATO membership plans. The infected machine then use Twitter or Google to collect encrypted instructions showing them where to report for new backdoors and as soon as infected system connects the command servers, it starts receiving encrypted backdoors through GIF image files. Once installed, it may copy, remove, delete files, create database, stop the processes and download the new ones, that may also open backdoor access to other Trojans. F-Secure also provided screenshots of several Ukraine-related documents that were more likely twisted from already existing and real public documents. F-Secure found a bogus document signed by Ruslan Demchenko, the First Deputy Minister for Foreign Affairs of Ukraine. “The letter is addressed to the heads of foreign diplomatic institutions in Ukraine.” When the researcher translated the document, it comes out to be a note regarding “the 100th year anniversary of the 1st World War.” This also signalized that the attackers have somehow access to the Ukrainian Ministry of Foreign Affairs. “We don't know where the attacker got this decoy file from,” Hypponen wrote. “We don't know who was targeted by these attacks. We don't know who's behind these attacks. What we do know is that all these attacks used the CVE-2013-0640 vulnerability and dropped the same backdoor (compilation date 2013-02-21).” The authors of MiniDuke made the malware familiar with the work principles of antivirus software which makes it different from the other viruses. The malware turns unique for each system and contains a backdoor that allows it to avoid system analytics instruments, and in case the virus is detected, the backdoor stops malicious effects and makes it disappear for the system. MiniDuke Malware previously attacked government entities in Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, United Kingdom, United States, including Ukraine. Source
  23. Imagine, You Open a Winrar archive of MP3 files, but what if it will install a malware into your system when you play anyone of them. WinRAR, a widely used file archiver and data compression utility helps hackers to distribute malicious code. Israeli security researcher Danor Cohen (An7i) discovered the WinRAR file extension spoofing vulnerability. WinRAR file extension spoofing vulnerability allows hackers to modify the filename and extension inside the traditional file archive, that helps them to hide binary malicious code inside an archive, pretending itself as '.jpg' , '.txt' or any other format. Using a Hex editor tool, he analysed a ZIP file and noticed that winrar tool also adds some custom properties to an archive, including two names - First name is the original filename (FAX.png) and second name is the filename (FAX.png) that will appear at the WINRAR GUI window. Danor manipulated the second filename and extension to prepare a special ZIP archive, that actually include a malware file "FAX.exe", but displaying itself as "FAX.png" to the user. Cyber intelligence company, IntelCrawler also published a report, which revealed that cybercriminals specialized in cyber espionage attacks are using this zero-day vulnerability in the wild to target several aerospace corporations, military subcontractors, embassies, as well as Fortune Global 500 companies. Using this technique, an attacker can drop any malware in very convincing manner to the victim's system. "Using this method the bad actors bypass some specific security measures including e-mail server’s antivirus systems" IntelCrawler said. Danor successfully exploited winrar version 4.20, and IntelCrawler confirmed that the vulnerability also works on all WinRar versions including v.5.1. "One of the chosen tactics includes malicious fake CV distribution and FOUO (For Official Use Only)-like documents, including fax scanned messages" Using social engineering techniques, attacker are targeting high profile victims with spear phishing mails, "Most of sent malicious attachments are hidden as graphical files, but password protected in order to avoid antivirus or IDS/IPS detection." IntelCrawler reported. In above example, the Malware archive file was password protected to avoid antivirus detection, used in an ongoing targeted cyber espionage campaign. Researchers found Zeus-like Trojan as an attachment, which has ability to establish remote administration channel with the infected victim, gather passwords and system information, then send the collected and stolen data to the Command & Control server hosted in Turkey (IP, Salay Telekomünikasyon). Users are advised to use an alternative archiving software and avoid opening archives with passwords even if it has legitimate files. Source
  24. Johannes Ullrich of the SANS Institute claims to have found malware infecting digital video recorders (DVR) predominately used to record footage captured by surveillance camera systems. Oddly enough, Ullrich claims that one of the two binaries of malware implicated in this attack scheme appears to be a Bitcoin miner. The other, he says, looks like a HTTP agent that likely makes it easier to download further tools or malware. However, at the present time, the malware seems to only be scanning for other vulnerable devices. “D72BNr, the bitcoin miner (according to the usage info based on strings) and mzkk8g, which looks like a simplar(sp.) http agent, maybe to download additional tools easily (similar to curl/wget which isn’t installed on this DVR by default),” Ullrich wrote on SANS diary. The researcher first became aware of the malware last week after he observed Hiksvision DVR (again, commonly used to record video surveillance footage) scanning for port 5000. Yesterday, Ullrich was able to recover the malware samples referenced above. You can find a link to the samples for yourself included in the SANS Diary posting. Ullrich noted that sample analysis is ongoing with the malware, but that it appears to be an ARM binary, which is an indication that the malware is targeting devices rather than your typical x86 Linux server. Beyond that, the malware is also scanning for Synology (network attached storage) devices exposed on port 5000. “Using our DShield Sensors, we initially found a spike in scans for port 5000 a while ago,” Ullrich told Threatpost via email. “We associated this with a vulnerability in Synology Diskstation devices which became public around the same time. To further investigate this, we set up some honeypots that simulated Synology’s web admin interface which listens on port 500o.” Upon analyzing the results from the honeypot, Ullrich says he found a number of scans: some originating from Shodan but many other still originating from these DVRs. “At first, we were not sure if that was the actual device scanning,” Ullrich admitted. “In NAT (network address translation) scenarios, it is possible that the DVR is visible from the outside, while a different device behind the same IP address originated the scans.” Further examination revealed that the DVRs in question were indeed originating the scans. These particular DVRs, Ullrich noted, are used in conjunction with security cameras, and so they’re often exposed to the internet to give employees the ability to monitor the security cameras remotely. Unlike normal “TiVo” style DVRs, these run on a stripped down version of Linux. In this case, the malware was specifically compiled to run in this environment and would not run on a normal Intel based Linux machine, he explained. This is the Malware sample’s HTTP request: DVR Malware HTTP Request The malware is also extracting the firmware version details of the devices it is scanning for. Those requests look like this: Firmware Scan Request While Ullrich notes that the malware is merely scanning now, he believes that future exploits are likely. Source
  25. A group of enterprising cybercriminals has figured out how to get cash from a certain type of ATM -- by text message. The latest development was spotted by security vendor Symantec, which has periodically written about a type of malicious software it calls "Ploutus" that first appeared in Mexico. The malware is engineered to plunder a certain type of standalone ATM, which Symantec has not identified. The company obtained one of the ATMs to carry out a test of how Ploutus works, but it doesn't show a brand name. Ploutus isn't the easiest piece of malware to install, as cybercriminals need to have access to the machine. That's probably why cybercriminals are targeting standalone ATMs, as it is easy to get access to all parts of the machine. Early versions of Ploutus allowed it to be controlled via the numerical interface on an ATM or by an attached keyboard. But the latest version shows a remarkable new development: It is now controllable remotely via text message. In this variation, the attackers manage to open up an ATM and attach a mobile phone, which acts as a controller, to a USB port inside the machine. The ATM also has to be infected with Ploutus. "When the phone detects a new message under the required format, the mobile device will convert the message into a network packet and will forward it to the ATM through the USB cable," wrote Daniel Regalado, a Symantec malware analyst, in a blog post on Monday. Ploutus has a network packet monitor that watches all traffic coming into the ATM, he wrote. When it detects a valid TCP or UDP packet from the phone, the module searches "for the number "5449610000583686 at a specific offset within the packet in order to process the whole package of data," he wrote. It then reads the next 16 digits and uses that to generate a command line to control Ploutus. So, why do this? Regalado wrote that it is more discrete and works nearly instantly. The past version of Ploutus required someone to either use a keyboard or enter a sequences of digits into the ATM keypad to fire up Ploutus. Both of those methods increase the amount of time someone spends in front of the machine, increasing the risk of detection. Now, the ATM can be remotely triggered to dispense cash, allowing a "money mule," or someone hired to do the risky job of stopping by to pick up the cash, to swiftly grab their gains. It also deprives the money mule of information that could allow them to skim some cash off the top, Regalado wrote. "The master criminal knows exactly how much the money mule will be getting," he wrote. Symantec warned that about 95% of ATMs are still running Windows XP, Microsoft's 13-year-old OS. Microsoft is ending regular support for Windows XP on April 8, but is offering extended support for Windows XP embedded systems, used for point-of-sale devices and ATMs, through January 2016. Still, Symantec warned that "the banking industry is facing a serious risk of cyberattacks aimed at their ATM fleet." Source
  • Create New...